Re: [Acme] WGLC for ACME DTN Node ID
Russ Housley <housley@vigilsec.com> Sat, 10 April 2021 15:39 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBF373A1166 for <acme@ietfa.amsl.com>; Sat, 10 Apr 2021 08:39:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UF-qNh5v_1Ql for <acme@ietfa.amsl.com>; Sat, 10 Apr 2021 08:39:00 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C96E3A1164 for <acme@ietf.org>; Sat, 10 Apr 2021 08:39:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id E2DF5300BBA for <acme@ietf.org>; Sat, 10 Apr 2021 11:38:57 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id yVgre-MjMIjr for <acme@ietf.org>; Sat, 10 Apr 2021 11:38:56 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 4E46D300AE5; Sat, 10 Apr 2021 11:38:56 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <5a65599ca9a588e8fa79647364372c52b34b6316.camel@rkf-eng.com>
Date: Sat, 10 Apr 2021 11:38:57 -0400
Cc: IETF ACME <acme@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3E9C528E-C544-404D-A74B-1DDD4D236A95@vigilsec.com>
References: <5a65599ca9a588e8fa79647364372c52b34b6316.camel@rkf-eng.com>
To: Brian Sipos <BSipos@rkf-eng.com>
X-Mailer: Apple Mail (2.3445.104.17)
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/v0vIkY5k8Dm9i-mlKI0pob50zxw>
Subject: Re: [Acme] WGLC for ACME DTN Node ID
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Apr 2021 15:39:06 -0000
These changes resolve my concerns. Russ > On Apr 9, 2021, at 5:40 PM, Brian Sipos <BSipos@rkf-eng.com> wrote: > > Russ, > Thank you for the review comments. My responses are inline with prefix "[BS1]". > >> I think that this document is almost ready. I have a few comments. > >> MAJOR: > >> Section 4 points to Section 4.4.2 of [I-D.ietf-dtn-tcpclv4]; but that profile does not require the certificate to > include an EKU of id-kp-bundleSecurity. When this document is used to verify control over the DTN Node ID, I think the > issued certificate MUST include an EKU of id-kp-bundleSecurity. If other means are used to validate other identities, > then other EKU values might be included as well. > > [BS1] This seems reasonable to require. I suppose the "email-reply-00" document [1] just leaves out any discussion of > EKU because the preexisting S/MIME documents define a more concrete certificate profile and there is a lot of momentum > behind S/MIME implementation. I'm going to add statements about the EKU in the CSR and the issued certificate. > >> Section 4.2 is talking about S/MIME certificates. I think there is a cut-and-paste error here. > > [BS1] Yes, these statements should replace "S/MIME" with "bundle security". > >> MINOR: > >> Section 3.1 says: "The only over-the-wire data required by ACME for a Challenge Bundle is a nonce token ...". This > is the first time that "nonce" appears in the document. Please reword. > > [BS1] I removed this statement and replaced it with a statement about the token-part2 scope: > The <token-part2> value included in this object is fixed for the entire challenge, and may correspond with multiple > separate <token-part1> values when multiple Challenge Bundles are sent for a single validation. > >> Section 3.3 and 3.4: in the beginning of the section, please add a pointer to the document that defines these > parameters. I think it is draft-ietf-dtn-bpbis. > > [BS1] That is the correct reference. I am adding a statement at the top of each section. > >> Section 6.1: please provide a reference for "BPSEC key material", and please spell out "BCB". > > [BS1] I removed this speculative text and replaced it with: > It is possible for intermediate BP nodes to encapsulate-and-encrypt Challenge and/or Response Bundles while they > traverse untrusted networks, but that is a DTN configuration matter outside of the scope of this document. > >> NITS: > >> Section 1: please spell out BP on first use. >> Section 2: s/wildcard ("*") character/wildcard character ("*")/ >> Section 6.2: please spell out "BIB". > > [BS1] I am correcting all of these typos. > > > [1] https://tools.ietf.org/html/draft-ietf-acme-email-smime-14 > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme
- [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Ryan Sleevi
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Russ Housley
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Benjamin Kaduk
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos
- Re: [Acme] WGLC for ACME DTN Node ID Yoav Nir
- Re: [Acme] WGLC for ACME DTN Node ID Brian Sipos